//
#include "stdafx.h"
# include <Windows.h>
//代码来自看雪论坛
int main1()
{
DWORD dwPEB;
DWORD dwLDR;
DWORD dwInitList;
DWORD dwDllBase;//当前地址
PIMAGE_DOS_HEADER pImageDosHeader;//指向DOS头的指针
PIMAGE_NT_HEADERS pImageNtHeaders;//指向NT头的指针
DWORD dwVirtualAddress;//导出表偏移地址
PIMAGE_EXPORT_DIRECTORY pImageExportDirectory;//指向导出表的指针
PTCHAR lpName;//指向dll名字的指针
TCHAR szKernel32[] = TEXT("KERNEL32.dll");
TCHAR szBuffer[256]; __asm { mov eax, FS:[0x30]//获取PEB所在地址
mov dwPEB, eax } dwLDR = *(PDWORD)(dwPEB + 0xc);//获取PEB_LDR_DATA 结构指针
dwInitList = *(PDWORD)(dwLDR + 0x1c);
for (; dwDllBase = *(PDWORD)(dwInitList + 8);
dwInitList = *(PDWORD)dwInitList)
{ pImageDosHeader = (PIMAGE_DOS_HEADER)dwDllBase;
pImageNtHeaders = (PIMAGE_NT_HEADERS)(dwDllBase + pImageDosHeader->e_lfanew);
dwVirtualAddress = pImageNtHeaders->OptionalHeader.DataDirectory[0].VirtualAddress;
pImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)(dwDllBase + dwVirtualAddress);
lpName = (PTCHAR)(dwDllBase + pImageExportDirectory->Name);
if (strlen(lpName) == 0xc && !strcmp(lpName, szKernel32))
wsprintf(szBuffer, TEXT("kernel32.dll的基地址为%0x"), dwDllBase);
MessageBox(NULL, szBuffer, NULL, MB_OK);
}
return 0;}
浙公网安备 33010602011771号